I did infect a machine with msblaster (Windows XP straight out of the box) and put the machine behind a cheapy firewall using private addresses. I was able to get out to the internet but I did end up blocking everything from this host outbound. Figured I didn't want to contribute spreading this thing. I confirmed that the host was running the virus and trying to go outbound on 135. Once I did that, I put the clock at 23:59 on the 15th and waited. Nothing happened so @ 00:15 I rebooted, once I rebooted, that is when the DoS started to happen. Maybe I need to wait longer or maybe it needs to restart msblaster. All you will see in port 80 connections going to windowsupdate.com. That is either 204.79.188.11 or 204.79.188.12. So, when it starts it does a query for windowsupdate.com and which ever IP address it gets first that is what it hits. You won't see your own source for the DoS either, that will be generated. Since my PC was on a 192.168.252.0, it was generating them for 192.168.x.x. That seems to be typical, the first two octets from your local host and the second two it generates. Note: There are no DNS storms created by the DoS and the port scanning for port 135 keeps going. The spreading of the virus keeps going in other words. Hope this helps. Good luck, Christopher Lyon Sr. Security Development Engineer Affant Communication (formerly DNS Network Services) v: 714-338-7106 f: 714-338-7101 cslyonat_private > -----Original Message----- > From: Sekurity Wizard [mailto:s.wizardat_private] > Sent: Wednesday, August 13, 2003 12:03 PM > To: incidentsat_private > Subject: msblast.exe --> DDoS against windowsupdate.com (research) > > Hi all, > Thought I'd do some research into this little hypothesis we've all been > seeing, what will happen on the 16th!? Well, I've set up a named server > (logging ALL queries into it) and an infected Win2k box (ran msblast.exe > on it) into the same hub...and then set the date to the 16th......much to > my surprise, NOTHING happened. Literally, nothing. No scanning for port > 135, no DNS storms, no DDoS packets - nothing...what did I do wrong > or...what does this mean? > > ./Wiz > > ------------------------------------------------------------------------ -- > - > ------------------------------------------------------------------------ -- > -- > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 11:32:14 PDT